In conventional malware detection systems, malware detection units are incorporated into a computing device. The malware detection units then monitor system calls issued by processes running on the computing device and detect malware based on the system calls.
Such malware detection systems, however, do not work when placed into a network environment. First, each process typically generates thousands of system calls per second. Thus, transmitting thousands of system calls generated every second by thousands of processes to a malware detection system located elsewhere on a network will overwhelm the network. Second, filtering system calls and transmitting a subset of filtered system calls over a network is not a solution because the malware detection system can misclassify malware based on a subset of system calls.
Embodiments of the disclosure and their advantages are best understood by referring to the detailed description that follows. It should be appreciated that like reference numerals are used to identify like elements illustrated in one or more of the figures, wherein showings therein are for purposes of illustrating embodiments of the disclosure and not for purposes of limiting the same.